Thinking like the enemy

In my previous article on vulnerability management, I mentioned that when the SATAN tool was first published, there was a lot of negative reaction from the security community, because it was thought that the tool would encourage hacking. But SATAN's authors felt that in order to secure your network, you have to know how hackers might break into it.

Today, it's still a good idea to know what hackers see when they're looking at your network, and what they might be thinking. This is why a lot of security professionals (and numerals federal agents) attend DefCon, one of the most famous hacker cons, every year. In addition, many security professionals avail themselves of the same (or similar) tools to the ones that hackers are using so that they know what those tools are, and how they are being used.

While you obviously don't want to go taking down your production servers with penetration testing tools, it's not all that difficult or expensive to put together a lab consisting of virtual machines to test tools with. VMWare still has a free option, plus there are several alternatives that are also free. You can set up an environment that is similar to your own, or a generic environment, and study the best ways to gain access to data. The more you can experience what a hacker experiences, the more you will understand the threats your own enterprise faces.

Hacker websites and conferences are another good source of information on what motivates hackers. They don't tell the whole story -- which is increasingly about money and power as well as hacking for the pure joy of it -- but the information you'll gain on the hacker culture and the current trends will be invaluable.

Every so often, you should hire a penetration testing team to test your network's security. How often you do this depends on what your business does and the kind of threats you face. Don't just listen to their reports and follow their recommendations; ask them what tools they use, their methodology, and the reasons behind both. Also, to the extent possible, don't place restrictions on what they can attempt to penetrate, how, or when. The more closely the test simulates a real-life scenario, the more you will learn.

If you can understand your adversary, you can strategize. Social engineering can work both ways.

Mary Ursula Herrmann

Mary Ursula Herrmann is a Network Security Analyst living in Juneau, AK. She has worked in Information Security for over 15 years, and obtained her CISSP in 2005.